Cybersecurity Initiatives Lost After Snowden Leaks

Security program "radioactive" after spying revelations.

by KEN DILANIAN, MCCLATCHY NEWS SERVICE
/
February 3, 2014

Early last year, as Edward Snowden was secretly purloining classified documents from National Security Agency computers in Hawaii, the NSA director, Gen. Keith Alexander, was gearing up to sell Congress and the public on a proposal for the NSA to defend private U.S. computer networks against cyber

Alexander wanted to use the NSA’s powerful tools to scan Internet traffic for malicious software code. He insisted the NSA could kill the viruses and other digital threats without reading consumers’ private e-mails, texts and Web searches.

The NSA normally protects military and other national security computer networks. Alexander also wanted authority to prevent hackers from penetrating U.S. banks, defense industries, telecommunications systems and other institutions to crash their networks or to steal intellectual property worth billions of dollars.

But after Snowden began leaking NSA systems for spying in cyberspace last June, Alexander’s proposal was a political non-starter, felled by distrust in his agency’s fearsome surveillance powers in the see-sawing national debate over privacy and national security.

It was one of several Obama administration initiatives, in Congress and in diplomacy, that experts say have been stopped cold or set back by the Snowden affair. As a result, U.S. officials have struggled to respond to the daily onslaught of attacks from Russia, China and elsewhere, a vulnerability that U.S. intelligence agencies now rank as a greater threat to national security than terrorism.

“All the things (the NSA) wanted to do are now radioactive, even though they were good ideas,” said James Lewis, a cyber security expert at the Center for Strategic and International Studies, a nonpartisan think tank in Washington.

Like this story? If so, subscribe to Government Technology's daily newsletter.

At town hall meetings in Wichita, Pompeo said, voters say the NSA already is reading their e-mails — which it staunchly denies — and they aren’t sympathetic to giving the agency more authority.

The Obama administration has said it plans to release this year a list of voluntary best practices in cyber security for critical infrastructure, including electric utilities and chemical plants. And the State Department’s cyber coordinator, Christopher Painter, has achieved some little-noticed successes, including agreements with Russia designed to smooth communications about cyber issues.

But President Barack Obama’s warnings last summer to Chinese President Xi Jinping to halt what U.S. officials describe as state-sponsored hacking of U.S. corporations mostly have gone unheeded. The official U.S. position — that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not — is a tougher sell these days.

Leaked documents showing that the NSA spied on Brazil’s largest energy corporation, Petrobras, among other targets, have convinced many overseas that the U.S. government “engages in significant espionage related to economic affairs,” Harvard law professor Jack Goldsmith, a former legal advisor to President George W. Bush, wrote in an e-mail.

Although Washington insists governments shouldn’t spy on businesses, “the rest of the world ignores us because the U.S. position has no basis in international law, it is obviously self-serving, and it seems trite in the context of its massive surveillance in other contexts,” he added.

No one denies that cyber intrusions are a growing danger. U.S. Attorney General Eric H. Holder Jr. told a Senate hearing Wednesday that the Justice Department is investigating the cyber theft of 110 million Target customers’ data during a two-week breach in December, including debit and credit card numbers of 40 million customers along with names, addresses, e-mail addresses and phone numbers of 70 million others.

Similarly, CrowdStrike, a security technology and services company based in Irvine, Calif., said it recently identified a successful Russian campaign to steal data from hundreds of American, European and Asian companies, including energy and technology companies. CrowdStrike did not name the alleged victims, citing confidentiality agreements.

Many companies and institutions, which rely on a free flow of information, do too little to protect their networks. They also often are constrained from tipping off the government or other companies about computer attacks, or malicious software, because of potential shareholder suits or other legal liability.

The FBI, NSA and Homeland Security Department, in turn, are barred by law from sharing malware signatures obtained from classified systems with the public. The problem, experts say, is akin to disease specialists not being allowed to share information about bacterial strains.

White House-backed legislation to legalize such sharing — the Cyber Intelligence Sharing and Protection Act — always faced an uphill fight in Congress because of concern that companies would give too much customer information to the government. But after Snowden revealed that major telecommunications and technology companies were transferring vast amounts of Americans’ data to the NSA, the bill was shelved.

A Homeland Security operation called Einstein monitors Internet traffic to search for attacks and intrusions on networks used by federal agencies. It uses deep packet inspection technology to scan for malicious code headed the government’s way.

Alexander, who is retiring as NSA chief in March, had hoped last year to adopt a similar model for the entire World Wide Web, not just the government portion. Instead, he has spent the last seven months defending the NSA against criticism of the programs Snowden exposed, and seeking to repair the damage.